Barclays Bank is to embed contactless technology into every debit card issued from this day forward, allowing punters to pay for coffee with a wave of the wallet - providing they can find somewhere that accepts the new technology.
Barclays has had a contactless card for a while now; the OnePulse, which also has an Oyster card …

COMMENTS

micropayments ftw

I can just imagine now, in the not so distant future, some not entirely honest vendor in a busy public place using a boosted antenna and subtracting a small fee from every person that passes. The amount deducted, say 50p, would be too small for many people to complain about or even notice, and wouldnt trip the transaction fee limits. now say it was something like a sporting venue, thousands of people could wander past, and that small fee would quickly add up to a tidy profit.

concerning

"More concerning is the ability of the banks to collect usage information about all those cash transactions"

Or... you know... you could just use that thing... fangled tech and all... cash? It's not like they don't already collect debit card habits, so why is this any different?

I try to pay for small exchanges in cash anyway, using card for small transactions is asking for trouble since you never see what you have, so you're more likely to spend more than you expect, whereas you know where you are with cash. I know if my snack machines at work had this i'd end up spending way more than i want on them than when i check to see if have enough change or not

@John Macintyre

The Foil

Barge pole, not touching tag?

So, are they going to implement anything resembling security on these things? I'm thinking of how secure Oyster is as a relevant example.

No? What a surprise. I'll be using those small metal or linen tokens until they sign a contract that makes them liable for any and all of any loss I report to them (unless Bruce Scheier or Ross Anderson can prove I was acting fraudulently)

Opt in technology?

"Barclays Bank is to embed contactless technology into every debit card issued from this day forward". Is there a choice here?

I don't use Barclays, but I am sure other banks will follow suit especially if the sheeple see this as a good thing and it takes off.

As this is an offline system how is unusual behaviour detected?

How often are these offline purchases compared to a card holders "normal" usage?

How often do random checks take place, Every 2, 5, 10 or more transactions?

In essence how many £9.99 CD/DVD's, packets of ciggies or alcohol purchases be made by the thief who has lifted ones card before the system thinks, hold on wait a minute?

I guess every card stolen will, without a PIN or signature, be worth at least a tenner. A guaranteed £10 bonus possibly much more is enough motivation for some lowlifes to smack some poor sod in the face and take their wallet/purse.

More than one card in my wallet

I can see little benefit

I fail to see how the current chip and pin system is slow! The bottleneck is when the terminal itself taking ages to accept and process the payment. Not sure how waiving your magic card will make it much quicker. Also, I already use my card for everything. 73p is my best to date in a well known supermarket which I know probably cost them about that much to accept my card.

It will only be the big retailers who get setup with this tech anyway as they can afford the processing costs. Small shops just won't bother until cash costs more to bank than accepting cards, which I can see happening soon enough since the banks control this too.

about bloody time

'contactless' You mean like good old mag stripes used to be?

Chip n Pin might have sounded great on paper, but whichever pillock thought a technology that relied on regular physical contact between the device and the reader would work in commercial environments wants shooting.

Time after time after time, chip & pin cards or readers fail to read because the contacts are worn or dirty. Every retailer I speak to says they are far less reliable than mag swipe cards used to be.

Please get your facts right....

"The communication protocol used by both Visa and Mastercard conforms to the EMV specification, though the kernel and encryption systems are kept secret - a strategy which rarely works out for the best,"

The communication protocol is an ISO standard (ISO 14443). The encryption systems are standard EMV (again, a public standard), and Visa and Mastercard then have their own card application standards built upon EMV (but again, available to terminal and card manufacturers). The kernel - well, that's the logic which goes inside a terminal, which is proprietary software in that each terminal manufacturer will - however, it operates to EMV standards.

A contactless transaction is just a variant of a normal EMV transaction. There's little different apart from the interface used - and certainly there are no proprietary encryption systems used. The only 'secret' part is the private keys loaded onto the cards. In any PKI system, the private keys are kept, well private. The public keys are used to verify the data on the cards. Anyone with an EMV spec, a card reader and a bit of programming skill can perform an EMV transaction (that doesn't mean that they can actually get any money - although they can trigger the risk management logic, which then requires a full 'online' transaction to reset it (ie. in the case of a contactless card - a standard EMV transaction with PIN and communication with the issuer).

@POPE Mad Mitch

The range on the cards is very small - a couple of cm at best. An amplified aerial to power up the card at a distance (e.g. even 1m) needs significant power output to do so (although is theoretically possible). Cards being closer than 1m are likely to be damaged in the process!

This ignores the problem of actually receiving the response from the card. It works by modulating the signal from the reader - which needs to be super, super sensitive to pick it up at a distance of 1m. Again, possibly not impossible - but in practice, with cards moving through the field, other cards moving in, moving at angles to the reader etc - makes it practically impossible in a real world situation. Oh, and add to that 'noise' and interference from other RF emitters means the super sensitive receiver gets overloaded with noise.

The fact that everyone walking past a retailer suddenly gets burning coins and molten cards in their pocket is likely to be a bit of a give away...

Great...

First Lloyds swap my cashpoint card over for a debit card that I can't now use in all the cashpoints the old card could, meaning I /have/ to find a Lloyds cashpoint to get money out/find out my balance (don't want to use it as a debit card, too easy to loose track of money spent/still left), and now my next Barclays debit card is going to have a new way to 'loose' money from - won't be too long before someone figures out how to do drive-by money stealing by syphoning off the cash to a bogus company or through a legit company that has been compromised.

Three cheers for anonymous cash you can actually hold in your hands! (apart from the odd counterfeit note & £1 coins) and I wish cashpoints would go back to offering £5 notes again, I don't always want to take out £10 or £20 especially when you've got to make what money you do have last.

Obvious flaw in this system

@Nic Brough

Oyster and contactless EMV payments have little in common apart from the fact they communicate over the same medium. The fault with Oyster (well, actually Mifare) was that NXP/Philips designed an in-house encryption system which was flawed. Cryptographers could not validate their encryption methods - and as often happens without peer review - vulnerabilities were found.

With EMV it uses standards based RSA PKI cryptography. People can look the EMV standard and check it. You can validate RSA for vulnerabilities. It's actually a pretty open standard.

Now, I'm not saying that EMV is perfect - but it's nothing like Mifare. It's almost like saying that one brand of car rusts badly - therefore all cars rust badly.

@adnim

"I don't use Barclays, but I am sure other banks will follow suit especially if the sheeple see this as a good thing and it takes off."

No no no, you don't see the big picture. This is nothing whatsoever to do with the individual customer. Barclays have launched this new 'product', which its customers will get whether they like it or not.

The inevitable next step is that the boards of other banks will look at what Barclays have done and say: ... uh oh, our competitor is offering a new product that we don't ... they're in a new market that we aren't(*) ... QUICK! get working on our own version of this 'product'!

sad but true, this is the abstract box-logic thinking which drives these huge corporations, which incidentally how the credit crunch came about.

Okay

This is the same system that was advertised by having a zoo elephant steal the zookeepers card and buy a load of stuff. Okay, so it was all cold medicine for the zookeepers cold, but it was a pretty blatent show of how easy theft can be with one of these.

@AC (@POPE Mad Mitch)

AC, maybe you should go and read the article "Passport RFIDs cloned wholesale by $250 eBay auction spree" - that could read RFIDs from 30 feet away and the researcher thinks he can extend the range to over a mile

but I have no cards..

nor chequebook or current account, all my transactions take place with a building society passbook and a weekly cash withdrawal. Onoes I am being left out of da brave new world of technology! but my loot is safe...

@adnim

"I don't use Barclays, but I am sure other banks will follow suit especially if the sheeple see this as a good thing and it takes off."

Years ago Barclays piloted a cash card system in Leeds where there was a chip built into your card looking not unlike the chip and pin cards used today. You could top up this chip with cash from your account and it could be used in readers found in local traders. You could fit a small amount of cash on the chip, £10 IIRC so the opportunity for fraud was relatively small.

The idea behind this presumably being that you didn't need a PIN or signature to use the card so it was faster and more convenient. But nobody could nick more than a tenner from you at a time, so it was relatively secure.

Anyway whether or not that system was a good idea it never took off. So you shouldn't assume that this will fly either.

lost or stolen

When you're not sure if your wallet's lost or stolen, or if you know you left it somewhere, the fact that cards are pin protected gives you a little time to try to find it, before cancelling the lot if you can't. How much could you lose per unprotected card before a pin request pops up?

Cancelling cards is a massive hassle, tapping in a pin code isn't.

I don't want to be a stick in the mud though. It'll probably evolve into a good, quick system, long as banks cover consumers for any errors, fraud and theft.

@AC (@POPE Mad Mitch)

To add to ACs post above it seems like every time a technology comes along using radio people have said "you'll never be able to get the range". Whether this is in the context of good ("It'll prevent RFIDs being read from a distance") or bad ("You'll never be able to broadcast further than...")

I've heard the bizarre ideas that if you could the world would cave in, "coins would melt" and the singular quantum thingy would stop being so singular

Seems to me its been proven wrong everytime so far, long wave radio, digital radio, your mobile phone, satellite phone, college students reading entry passes from miles away....

What makes you think that these cards will be any different?

Also what makes you think range is even an issue? Pickpockets don't exactly work from the other side of the road but last time I looked they were quite real. Barclays just invented a new way of having your pocket picked which requires little skill, just wave a reader over peoples bums and no actual contact so far less risk

I can easily imagine a certain breed of criminal drooling over this one

Mines the coat that will always need to be stolen from the old fashioned way

@ Tawakalna

RFID Zapper?

What I need is a little device that I can put RFID-enabled cards (and passports...) on that will fry the circuit without causing it to burst into flame or be otherwise visibly obvious that it's been zapped. I'm not yet desperate enough to build a Helmholz coil setup, I'd much prefer a small gadget.

offline??

"PayWave transactions always take place offline"

What that means is that if you happen to only have £5 in your account and pay for something worth £10 you will be allowed to, and helpfully charged £30+ for the privilege, you will then probably be charged another £30 for an unauthorised overdraft. With an oblivious afternoon, you could easily make 10 or more transactions racking up a charge every time.

Contactless cards

I think there are two issues here.

(1) General acceptance of the system

(2) Financial damage limitation

(1) I do not know what the take-up of this will be in the UK but the take up for the Octopus card (Hong Kong's equivalent of the Oyster card) was quite good. Then again, they have nearly a decade headstart on Britain !! I believe that many chain operations like 7-11 and the fast food chains love this and the savings to the chains in terms of staff cost to handle cash transactions easily offset the cost of the transaction charges.

Since the transactions are only registered when the card is within the (short) field range of a reader, the system will not go berserk reading every card within a *wide* range from the reader as someone had suggested earlier. Otherwise this system will be unworkable when there is a load of people on a London bus with three readers on board going berserk reading everyone's cards multiple times !! And any one with multiple such cards should not put them together since it could not only screw up the transaction(s) but the cards can interact and screw each other up. Then again, in nanny state Britain, many people cannot function without someone going around wiping their bums for them !!

(2) The damage limitation part is that you can only lose what money you have put in the card. It has *NO* access to your bank account unless you have specifically asked your card to be automatically topped-up when the card balance is low (which any smart person out there in HK knows is not a good idea especially when the card may be stolen and used repeatedly on small(ish) transactions) !!

@ pepol who hav not read the article

it will be quicker cos it dose not do the talking to the back that the current system dose so there will be speed increases and it only chagles you for the pin at random intervals so you will not need to enter your pin every time

thirteen

point five six megahertz is the frequency for this (nearly) iso14443 RFID. One of the weaknesses/threats is that your mail could be scanned at 13MHz and any interesting letters/mail-sacks that ping back are either a credit card/ePass/european citizens card or whatever. I have an HP4700 ipaq PDA with CF based 13.56MHz antenna podule, I could be scanning your mail now, but I'm not! There's also a possible man-in-the-middle 'relay attack' against eCC, but the relay reader would have to be within centimetres of your card,the attack is possible due to the up to 5 seconds transaction windows that have been defined. Watch out when consumer RFID starts to implement the 900MHz band like for USA eDriving licence & passport cards, =big read range. Personally I will terminate with prejudice my eCC, provided the postman delivered it in the first place!

Use of Information

"More concerning is the ability of the banks to collect usage information about all those cash transactions; they'll know where you drink coffee, what paper you read and how much you spend on cigarettes."

I really wouldn't mind if they used this information for something useful, like security. If they know my spending patterns why don't they notice when they change significantly, like last year when some cock used my card number to buy some online gaming crap. I noticed it on my statement and informed the bank who then cancelled the transaction*, but why didn't the bank notice the unusual pattern?

BTW they are unlikely to know what paper you read or how much you spend on ciggies. All they generally get is the trader, date and time and value of the transaction. Unless the shop is Cigs-R-Us they won't be able to deduce how much you spend on cigs.

* The bank informed me that the transactions took place on a web site that doesn't use the three digit security code from the back of the card. So why the fsck do they deal with these sites? If they refused to deal with companies who's security wasn't good enough fraudulent transactions would be slashed overnight.

Surveilance

"More concerning is the ability of the banks to collect usage information about all those cash transactions; they'll know where you drink coffee, what paper you read and how much you spend on cigarettes."

Well, they can already tell which shops I have spent money in. The information is on my credit card statement too.

...but unless I start using one of the new cards for every transaction, what you've said isn't gonig to be true.

It would require *every* retailer in the country to switch over to the new system. Until this happens, intelligent people are going to carry that old-fangled cash around in their pocket.

In fact, the switch away from cash doesn't seem likely to happen at all - unless things have changed since the times they introduced cheques and credit cards. IIRC these were both widely tipped to leave cash as an historical curiosity (but as we know, it didn't happen!)

Faster

The retailer may be in a terrible hurry, to need such technology to make transactions go faster, but I'm not. I don't mind opening my wallet, taking out the notes, waiting for the change... Life doesn't have to go at a frenetic pace all the time. Slow down a bit and look at the trees